NEWS

Data Security for Retailers: A Checklist to Help Minimize the Cost of a Data Breach

POSTED ON:July 12, 2018

By: Ivan Long

Do you carry fire insurance for your business? Most retailers do, and they also put measures in place such as smoke detectors, fire extinguishers, and policies designed to prevent fires. They probably do regular checks on this equipment to reduce their risk. That’s great, but there is a risk that is equally dangerous, and far more likely to strike the average small business that many have done almost no preparation for: the risk of a security breach.

Equifax recently revealed that their 2017 data breach was even worse than originally suspected: 146 million Americans had their names, dates of birth, and social security number breached, thanks to a patch not applied on one of Equifax’s servers. Additionally, millions of people had additional information stolen including their full addresses, driver’s license data, phone numbers, and more. When you factor in the number of children and other people with no credit records, this means a large majority of Americans had their identity stolen.

Equifax is far from the only company breached recently; if you shopped at Sears, Kmart, Sonic, Forever 21, Delta Airlines, Best Buy, Panera Bread or Saks Fifth Avenue in the last year, your data may currently be for sale on the dark web. In addition, the recent Facebook controversy has re-ignited discussions about data privacy and the obligations of companies.

What should be the most concerning thing to retailers is this: hackers have increasingly turned to small and mid-size businesses as targets. For every Best Buy or Saks Fifth Avenue breach you hear about, there are dozens of smaller retailers getting breached. And the cost for smaller retailers can be very high; KPMG estimates that 19% of customers will stop shopping at a retailer altogether when they learn of a data security breach, and an additional 33% will take a “long-term break”. That combined 52% of shoppers is in addition to direct costs to retailers who suffer a breach in terms of mitigation measures, audits, investigations, and fines.

Have you started a data security review at your company? If not, or if it has been some time since the last security review, now is the time for you to start the process. There are absolutely things you can do to make your company a more difficult target, and to help protect yourself.

This post is intended to give you a quick overview of security, and a starting point you can use to begin an initial security review.

What does data security mean?

According to most industry experts, data security is summarized by using three words: Confidentiality, Integrity, and Availability.

Different businesses may have a different primary focus. For example, to a bank the integrity of its data is the most important factor- how much customers have in their accounts, who has what loans, etc. However, for most retailers, confidentiality is likely the key security item that you may be concerned with, so is the one I will focus on in this post.

To prevent confidentiality breaches of your data, here are 3 questions you can ask yourself about your data security that will help you determine the proper next steps.

The Three Key Questions

1. What confidential data do I have?

The most important thing to begin with is an inventory of confidential or sensitive data that you have in your organization. Broadly speaking, there is likely 5 key areas (at a minimum) to examine:

Payment Card Information (PCI): What data do you have that pertains to payments made in the store? Credit card numbers, expiry dates, and cardholder name would be examples. Are your systems in-scope for payment card data, or certified out of scope? Are they PCI compliant and listed on the PCI council’s website?

Personally Identifiable Information (PII): What information do you have about your customers that is governed by data security and privacy regulations? These regulations can vary from country to country, and state to state. For example, do you retain customer names, addresses, emails, phone numbers, age, gender, purchase history, or other records?

Personal Health Information (PHI): Do you keep any data related to an individual’s medical records or status? This data is even more sensitive than PII. Pharmacies, insurance firms, and sometimes HR departments, as examples, need to be concerned about PHI.

Employment Information: This is personally identifiable information about your employees such as Name, Address, Social Security Number, Income, and any other information about them.

Accounting Information or other Sensitive “Store” Data: this is information that you as a business owner need to protect on your own behalf. It may include financial and accounting data, regulatory paperwork, or other sensitive or confidential information about your business.

For each of the above data types you have identified in the first step of your data security review, you should examine some key questions about that data:

Where is confidential data stored? Is it encrypted “at rest”?

Once sensitive data is identified, the next question to consider is: where is this data stored?

Broadly speaking, data security professionals consider data to have 2 states; “in motion” covers the transmission of data when it is being used, and “at rest” covers data that is not being used presently. Today, instead of paper, most data at rest is going to reside in computers and their associated hard disks, backup devices or other electronic media.

Start by looking at physical devices in the store. Typically, this will be actual computers, including desktops, laptops, tablets, servers, and in some cases, phones. Ask yourself “could this device contain confidential information?”, as you’ve noted previously. Obvious “yes” answers would include:

Point of Sale Systems such as Auto-Star, Micros, and Lightspeed.

Accounting and Payroll systems such as QuickBooks, Sage or Microsoft Dynamics.

For each of the “Yes” answers you find, we recommend reaching out to your vendors. Ask them, in writing, to answer each of the following questions:

Please confirm if any of the following information is stored on this device? [Include a list of the data you’ve previously identified].

What files and directories contain this confidential information?

For the files and directories identified above, is the data encrypted on this disk? What method is used to encrypt the data?

By default, how long does your system keep the confidential information for? Is there a purge function available? If so, is it purged automatically after a certain amount of time, or is action required by users to purge old data.

Is your system certified by an independent auditor or body with regards to encrypting data at rest? Where can I get a copy of that certification?

Note that any software vendor who is compliant with the Payment Card Industry Data Security Standards should be listed at the PCI Council website at: www.pcisecuritystandards.org/security_standards/vpa/. Solutions that claim to meet standards but are not validated have zero value in terms of diligence and compliance.

Who is responsible for the following actions on this device?

Running required updates to the operating system.

Ensuring that any required anti-virus or other software is installed and kept up to date.

Ensuring that any data is backed up.

Note that it may not be a legal or regulatory requirement to encrypt all of this data, but having it encrypted will make your life easier. Some of the data we’ve discussed is required by law or regulation to be encrypted. Consult a security professional for a list that would apply in your specific case and jurisdiction.

You should also examine your own data security procedures on any system that you’ve identified above.

Are each of your users using their own login with a strong password, known only to them?

Are you using any 2-factor authentication (for example, a biometric fingerprint reader plus a password)?

Have you done an inventory of which users can access which data? Does that list make sense?

Do you have policies on these devices that prevent common attack vectors? For example, systems that contain confidential information should never be used to check personal email or for personal web-surfing. These are the number 1 vectors for attackers and malware to get into your system.

Pay special attention to laptops, backup devices, or other systems (tablets) that may leave the store. These systems are particularly vulnerable as they may be easily stolen and it is particularly important that these devices have “Full-Disk Encryption” or equivalent protection. A logon password will not protect a laptop or backup device that is physically in the hands of thieves – the underlying files are easily obtainable without the password.

Also, pay special attention to remote access tools such as “TeamViewer” and “GoToMyPC” on these devices. It is now a regulatory requirement that any remote access to systems with certain types of data (e.g. if it ever transmits, or stores payment data) use 2 factor authentication for all of remote access.

2. When / Where / To Who is confidential data transmitted? Is it encrypted “in motion”?

Data that is “in motion” is moving either within a computer system, or more commonly, through your network. Data in motion is susceptible to theft as it is not always securely encrypted, and in some places may be using protocols that are easily cracked. Some questions to consider include:

For all of the data types that you identified, is there any motion of that data within the store environment? For example:

Does the data get transmitted from one computer to another computer in your location? Some examples of this may include payment card information going from a pin entry device to a register, or from a front-of-store PC to a back of store PC.

Does any of the data you’ve identified ever get sent over the internet or other networks to third parties?

Is accounting or payroll data ever transmitted to a third party, such as a bank or bookkeeper?

Is information about your point of sale transactions transmitted outside the store? Does it contain any customer names, addresses, phone numbers, or other information?

For each of the above, ask yourself or your vendors:

Is the data encrypted during each of these transmissions?

How is the data encrypted?

Is there any case where it is being transmitted using an insecure protocol? Both email and FTP should be considered extremely unsafe, in almost all instances.

Is your system certified by an independent data security auditor, or body, with regards to encrypting data in motion? Where can I get a copy of that certification? Note that having obtained a copy of this certification shows you have done significant due diligence.

Do you have firewalls enabled on your “Network Edge” at the store? Are these devices properly maintained and updated? Who is responsible for keeping them up to date?

Do you have firewalls or firewall software enabled on individual devices?

Do you have wireless access enabled? If so, is it properly segmented away from your internal network that contains confidential information? Who secures that wireless network?

For the parties that receive data from you, do you have agreements in place with them that requires them to handle the data with the same protections that you are required to? Are they accredited or do they follow any professional standards in the manner they deal with confidential data?

Again, encrypting all data in all instances above may not be a requirement, and in some cases may not even be possible and practical. But there are requirements that some of the data is encrypted in motion some or all of the time.

3. What other steps are being done to prevent a data security breach?

Retailers should be using industry best practices to prevent breaches. One of the most common threats in the retail environment today is the threat of malware, especially ransomware. Estimates are that 2017 saw a 2500% increase in ransomware over 2016, and a big part of the problem is the “human factor” of people opening emails and webpages that are infected. There are a number of steps you can take to counter this threat:

First and most basically, do you have traditional anti-virus, and is it up-to-date? While anti-virus software is not particularly effective at countering many ransomware threats, it is a good first step and security experts would all agree that something is better than nothing.

Better than anti-virus is the newer concept of application whitelisting. Rather than the traditional anti-virus approach of blocking certain programs with certain signature (a near impossible task) application whitelisting works by preventing ALL programs from running except ones that are explicitly allowed. This is a far more effective approach, and can even be done for free if you are on some versions of Windows 7/8/10 and Windows Server 2016. It does requires some setup though. Contact your software vendor for steps on how to implement application whitelisting.

Do you have other technical measures in place to reduce the risk of malware or breach? For example, some firewalls dynamically update to prevent new threats by stopping them at the border between your organization and your internet provider. Some new measures such as preventative DNS can be used to block malware and increase your data security. Again, many of these options are free but may require some technical setup.

Lastly and most importantly, do you have policies in place that help prevent the “human factor” in your organization? Is there a clear policy to staff to not open personal emails, or browse unneeded websites? Have individuals been made aware of your privacy policy, and the expectations you have of how they treat confidential data? Is there a policy against sharing passwords? You may want to consider biometrics as an option to prevent this, as it is far cheaper today than in previous years.

Summary and Wrap Up

Data security is like eating an elephant; you need to do it “one bite at a time”, and the sooner you start, the better off you will be. Getting truly secure is a complicated process that involves a lot of work, and ongoing diligence. Many retailers will feel overwhelmed with starting the process of making sure their systems are secure.

Ultimately, you are responsible for data security in your store in the same way that you are responsible for other legal, government, and regulatory requirements. These days, not reviewing and assessing your security is no longer an option. Much like having fire insurance, security is a requirement.

Pay particular attention to PCI and related credit card security standards. Unlike some of the PII items which have ‘recommendations’, PCI data security standards are now a long standing requirement, and both processors and card brands are beginning to crack down on independent merchants still not running compliant software. Be sure that your system is certified PA-DSS compliant on the PCI council website to avoid fines, or worse.

There are things you can do to make this process easier. Using reputable vendors that have already obtained security certifications will go a long way towards reducing your work – you will have considerably less work to prove a system is secure if the vendor already has the paperwork to prove they have. You may also wish to engage with outside firms that can assist you with assessing your security. These days there are reasonably priced reputable options available. Auto-Star engages with one of these firms regularly and can provide a recommendation.